Jump to content

Cryptoware/Cryptowall Warning and WGC

WGC Malware Ransomware

  • This topic is locked This topic is locked
1 reply to this topic

Mr_Deo #1 Posted 30 July 2019 - 03:29 PM


  • Player
  • 46960 battles
  • 2,097
  • [WW3] WW3
  • Member since:

Seems the WGC is trying to make outbound connections to a server in Germany that was once used for Cryptoware/Ransomware/Cryptowall (circa  late 2014 early 2015 until unknown). is the IP, 6881 is the port.  What I can find/see is that in 2014/2015 it was used as a tor node specifically for this type of Malware.  After 2015 it was used to serve websites that were - again - malware laden.  After 2017/2018 I am not sure.  Ownership of the IP seems to have been in the same place since 2015 so I honestly wouldn't trust it.


It (the IP) seems to have about 15 listening services.  Multiple Database services, multiple proxy services, multiple torrent services, a few obscure file download services.

Many of the software packages I can see running are all 2-6 years out of date.


So Basically... WGC is trying to connect to a server once used to Tor malware, later used to serve malware, and now has a huge amount of crap on it that would indicate it's either a honeypot or totally compromised.


I have not looked at what data the WGC is sending.  The server itself seems to have a lot of issues.  WG should be ashamed to be using such a server.  The Port (6881) that WGC is trying to reach is either stealthed or non-functioning either, as it doesn't seem to listen.  Port 6881 is most likely the modified Torrent that WG is using for their downloads, not blacklisting that IP is a bad move.


Those who can block this IP range should.  Those who cant block it just suck it up :P.... 

BotWhisperer #2 Posted 31 July 2019 - 09:25 AM

    Second Lieutenant

  • Veteran
  • 12874 battles
  • 1,146
  • Member since:
Thread has been closed by the moderation team due to being non constructive.

1 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users